Researchers at Harvard University and UC Berkeley have published a document explaining why phishing works on general users.

The ten-page document (PDF), by Rachna Dhamija at Harvard and J.D. Tygar and Marti Hearst at Berkeley, details a small study of 22 participants that looks at today's standard security indicators used with websites. The report also references previous larger studies on phishing by other researchers. They authors conclude that existing browser measures are ineffective for a substantial number of users and suggest the dire need for alternative approaches.

The report also offers some alarming statistics about phishing. Research indicates that about two million Americans gave their personal information to phishing sites in 2003, resulting in direct losses of $1.2 billion for U.S. banks and card issuers. Phishing has grown substantially since 2003. Additionally, the authors note that good (convincing) phishing sites were able to fool 90% of participants and that the test group made mistakes on an average of 40% of the time. Neither education, age, sex, previous experience, nor hours of computer use per day showed any statistically significant correlation with one's vulnerability to phishing.

The paper should be taken as a wake-up call for browser makers and financial institutions. Two of the document's authors are the same ones who proposed the security skins Firefox extension in a previous paper (PDF).